We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Guidance on who is a “key information infrastructure operator” under the PRC Cybersecurity Law, and draft regulations on handling minors’ data

In the rapidly evolving data protection compliance environment in the People’s Republic of China, this month has seen some helpful clarification around two areas of uncertainty – namely:

some further indications as to whom will be deemed a “KIIO” (and so subject to the data localization rules under the PRC Cybersecurity Law); and

on the additional safeguards required when handling personal data of minors,

but unfortunately in both regards significant uncertainties remain.

New Cybersecurity Strategy gives first guidance on application of PRC Cybersecurity Law

Following the recent enactment of the PRC Cybersecurity Law, China’s Internet regulator published the country’s first National Cyberspace Security Strategy (the “Strategy“) on December 27, 2016. The Strategy offers few fresh initiatives but summarizes goals within the PRC Cybersecurity Law and other regulations passed over the past year. A guiding concept is “Internet sovereignty”, which the Strategy defines as China’s right to police the Internet within its borders and participate in managing international cyberspace. In particular, the Strategy emphasizes the strategic need to safeguard key information infrastructure operators (“KIIOs“).

Most importantly, the Strategy seeks to clarify the definition of a KIIO, by providing guidance on the industries which the Chinese Government will prioritize with respect to cybersecurity.

A KIIO is defined in the Strategy as an operator of “information facilities that have an immediate bearing on national security, the national economy or people’s livelihoods such that, in the event of a data leakage, damage, or loss of functionality, national security and public interest would be jeopardized“. This aligns with the definition in the PRC Cybersecurity Law, and indicates the potential impact of a security breach is a key factor in determining who will be considered a KIIO.

In addition, the expanded definition put forward in the Strategy includes clarification on the industries that the Chinese authorities consider to be operating key information infrastructure. The PRC Cybersecurity Law listed “public communications and information service, energy, transportation, hydropower, finance, public service, e-government and other critical information infrastructure”, and the Strategy clarifies this by:

listing “basic telecommunications networks that provide public communications, radio and television transmission and other such services” to expand on the definition of “public communications” operators;

noting that important information systems in sectors and State bodies in the additional fields of “education“, “scientific research“, “industry and manufacturing“, “medicine and health” and “social security” will also be caught; and

identifying that “important Internet application systems” will be deemed to be KIIOs as well. Unofficial reports suggest that this is intended to catch popular apps such as Taobao and WeChat which have millions of daily users in China who would be affected by a security breach.

Organizations within these newly-highlighted sectors are now also advised to pay attention to the additional cybersecurity and data protection obligations imposed on KIIOs in the PRC Cybersecurity Law and consider updating their compliance programs accordingly. For our summary of the key features of the PRC Cybersecurity Lawclick here.

Unfortunately this additional guidance is far from definitive, in that it remains unclear whether all organizations within the specified industries that are encompassed by the definition of a KIIO will automatically be KIIOs if they operate any networks (and potentially even just a website) in the People’s Republic of China. Further, other key uncertainties under the PRC Cybersecurity Law – including the definition of “network operator” and “important business data” – remain. The ongoing uncertainty is extremely unhelpful for local and international organizations trying to identify whether they need to update their China compliance programs in advance of 1 June 2017 when the PRC Cybersecurity Law becomes effective, and we hope that further guidance will be published shortly.

Draft Regulations on the protection of the use of Internet by minors published for comments

The State Council published for public consultation the draft Regulations on the Protection of the Use of Internet by Minors (the “Draft Regulations“) on January 7, 2017 to provide additional protection to minors (i.e., Chinese citizens under the age of eighteen) when they are online. In particular, the Draft Regulations propose additional data protection obligations, with which “network information service providers” (i.e., organizations and individuals using networks to provide users with information technology, information services, information products, including online platform service providers, and providers of online content and products) would need to comply. The definition of a “network information service provider” appears to catch any individual or business that operates websites or processes online data in China.

Some of the key provisions of the Draft Regulations include:

Network information service providers must conduct reviews of the information published on their platform. If any content is deemed unsuitable for minors, a warning must be placed prominently before the content is displayed. The Draft Regulations recognize the need for relevant authorities to publish policies to offer guidance to organizations on how to manage information unsuitable for minors.

“Minors’ personal information” is given a wide definition, and would capture all kinds of information, whether recorded electronically or through other means, that when alone or taken together with other information is sufficient to identify a minor’s identity, including but not limited to a minor’s full name, location, residential address, date of birth, contact information, account name, identification number, personal biometric information, and photographs.

Individuals or organizations collecting and using minors’ personal information online must clearly notify (for example, by way of a website privacy policy) the purposes, means and scope of collecting or using such personal information and obtain the consent of the minor or their parent/guardian. The Draft Regulations would require “specific privacy policies” to be formulated for such collection and use to enhance protection of minors’ personal information, although it is unclear whether the authorities would require a separate privacy policy specifically aimed at minors and their parent/guardian to be published on websites. Amid the uncertainties, if the Draft Regulations are passed, individuals or organizations collecting and using minors’ personal information online, especially on websites that are targeted at minors, are urged to review their existing privacy policies to ensure that as a minimum the required consent is obtained and that their privacy policy at least clearly addresses collection of data from or about minors.

Network information service providers that offer search functions on their platforms would not be allowed to display search results that comprise minors’ personal information. If a minor or his/her parent/guardian requests a network information service provider to delete or block the minor’s personal information that is available online, the network information service provider would also be required to do so.

Consultation on the Draft Regulations closes on 6 February 2017. It is hoped that some of the uncertainties in the Draft Regulations will be clarified before the Draft Regulations are finalized and come into force. In the meantime, organizations – particularly those whose websites are aimed at young people – are warned that, if passed, the Draft Regulations would require a pro-active review and update of their Chinese websites and privacy policies, and data collection/retention policies and procedures, to address these new safeguards.